This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations to map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training from We Hack Purple.

Vulnerability: Unsafe Defaults in Prometheus Expose Secrets

JFrog recently published a report on a potential vulnerability in Prometheus, a popular open-source event monitoring and alerting solution. Attackers could parse unsecured endpoints to retrieve sensitive data.

Source: DZone